# Ansible Security Baseline and Top 10 Misconfigurations > **Intro:** Automation magnifies intent. Secure Ansible design is mostly about source control, credential handling, approval flow, and limiting what automation can reach. > > **What this page includes** > > * baseline security guidance > * top 10 Ansible and AWX / Controller misconfigurations > * comments on practical rollout ## Baseline * keep playbooks, inventories, and roles in version control * require peer review before automation reaches production * separate playbook authors, credential admins, and platform admins where practical * store secrets in Vault or equivalent secret backends * do not expose AWX / Controller broadly to the internet * minimize superuser and sudo access * use signed or trusted collections and dependencies where possible * limit inventory and credential visibility to those who need it ## Top 10 misconfigurations 1. Production credentials visible to too many users 2. AWX / Controller exposed directly to the public internet 3. Shared admin or superuser accounts 4. Playbooks that shell out excessively when safer modules exist 5. Inventories with stale, privileged, or unscoped targets 6. Secrets committed to repos or stored in plain variables 7. Automation accounts with broad root or domain-admin reach 8. No branch protection or approval flow on playbooks 9. Third-party roles and collections used without review 10. Logs or job outputs exposing secrets ## Example checks ```bash ansible-lint site.yml ansible-playbook --syntax-check site.yml grep -R "become: yes" . grep -R "password:" . ``` ## Design comment The most dangerous Ansible environments are the ones that feel efficient because they skip review, overtrust automation accounts, and treat inventories as harmless metadata. ## 2026 modernization notes * normalize older **Ansible Tower** references to **AWX** or **Ansible Automation Platform Controller** depending on whether you mean the community or supported product line; * prefer reviewed job definitions and execution environments over controller-local package sprawl; * treat `ansible-container` as historical context, not as a current recommendation; * validate playbooks and roles against newer ansible-core templating behavior before major upgrades. ## Related page * [🤖 Security Automation Controllers — AWX, Jenkins, and Rundeck Patterns](/devsecops-cicd-and-supply-chain/index-1/ansible-awx-jenkins-rundeck-security-automation-patterns.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index/ansible-security-baseline-and-misconfigurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.